On Tue, Apr 30, 2024 at 01:44:19PM -0400, Laine Stump wrote: > The iptables backend (which was used as the model for the nftables > backend) used the same "filter" and "nat" tables used by other > services on the system (e.g. firewalld or any other host firewall > management application), so it was possible that one of those other > services would be blocking DNS, DHCP, or TFTP from guests to the host; > we added our own rules at the beginning of the chain to allow this > traffic no matter if someone else rejected it later. > > But with nftables, each service uses their own table, and all traffic > must be acepted by all tables no matter what - it's not possible for > us to just insert a higher priority/earlier rule that will override > some reject rule put in by, e.g., firewalld. Instead the firewalld (or > other) table must be setup by that service to allow the traffic. That, > along with the fact that our table is already "accept by default", > makes it possible to eliminate the individual accept rules for DHCP, > DNS, and TFTP. And once those rules are eliminated, there is no longer > any need for the guest_to_host or host_to_guest tables. > > Signed-off-by: Laine Stump <laine@xxxxxxxxxx> > --- > > I've just #ifdef'ed out the code that adds these rules so that it > remains there as an example if someone wants to add in some different > guest<->host rules in the future. I could instead completely remove > all the now-uncompiled code, and just leave a comment referencing the > upstream commit ID of the last commit that still contained all of that > code. I'm fine either way. I'm fine with an #if for a while. We can purge it later if we see no signs of really needing it. > > src/network/network_nftables.c | 36 +++- > .../nat-default-linux.nftables | 104 ---------- > .../nat-ipv6-linux.nftables | 182 ------------------ > .../nat-ipv6-masquerade-linux.nftables | 182 ------------------ > .../nat-many-ips-linux.nftables | 104 ---------- > .../nat-no-dhcp-linux.nftables | 182 ------------------ > .../nat-tftp-linux.nftables | 130 ------------- > .../route-default-linux.nftables | 104 ---------- > 8 files changed, 33 insertions(+), 991 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
